Program instrumentation method and apparatus for constraining the behavior of embedded script in documents

a script and embedded script technology, applied in the field of computer programming, can solve the problems of difficult control from the user's point of view, javascript code from attacker.com will not be able to read a cookie set by mybank.com, and annoying pop-ups of undesirable contents

Inactive Publication Date: 2008-04-03
NTT DOCOMO INC
View PDF9 Cites 71 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

As is the case of other forms of mobile code, JavaScript programs introduce potential security vulnerabilities and loopholes for malicious parties to exploit.
Unfortunately, this feature has been heavily exploited to generate annoying pop-ups of undesirable contents, some of which are difficult to “control” from a web user's point of view (e.g., control buttons out of screen boundary, instant respawning when closed).
More severely, this feature has also been exploited for launching phishing attacks, where key information about the origin of the web page is hidden from users (e.g., a hidden location bar), and false information assembled to trick users into believing malicious contents (e.g., a fake location bar).
For instance, JavaScript code from attacker.com will not be able to read a cookie set by mybank.com.
Unfortunately, many web applications exhibit XSS vulnerabilities, where a malicious piece of script can be injected into a web page produced by a vulnerable application.
The situation is potentially worse than for

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Program instrumentation method and apparatus for constraining the behavior of embedded script in documents
  • Program instrumentation method and apparatus for constraining the behavior of embedded script in documents
  • Program instrumentation method and apparatus for constraining the behavior of embedded script in documents

Examples

Experimental program
Comparison scheme
Effect test

an example implementation

Architecture

[0119]FIG. 14 illustrates an example of an implementation architecture. Each of the modules may comprise hardware (circuitry, dedicated logic, etc.), software (such as is run on a general purpose computer system or a dedicated machine), or a combination of both.

[0120] Referring to FIG. 14, the implementation may extend a browser with three small modules—module 1401 for the syntactic code rewriting (ι), module 1402 for interpreting the special instruction (instr), and module 1404 for implementing the security policy (Π). In one embodiment, a browser 1403 does not interpret a document D directly. Instead, browser 1403 interprets a rewritten version ι(D) produced by the rewriting module. Upon a special instruction instr(E), the implementation of instr evaluates the expression E and sends the result document D′ through rewriting module 1401. The result of the rewriting ι(D′) is directed back to browser 1403 for further interpretation. Upon a call to the policy interface che...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

A method and apparatus is disclosed herein for constraining the behavior of embedded script in documents using program instrumentation. In one embodiment, the method comprises downloading a document with a script program embedded therein, inspecting the script program, and rewriting the script program to cause behavior resulting from execution of the script to conform to one or more policies defining safety and security. The script program comprises self-modifying code (e.g., dynamically generated script).

Description

PRIORITY [0001] The present patent application claims priority to and incorporates by reference the corresponding provisional patent application Ser. No. 60 / 816,679, entitled, “Program Instrumentation Method and Apparatus for Constraining the Behavior of Embedded Script in HTML Documents”, filed on Jun. 26, 2006.FIELD OF THE INVENTION [0002] The present invention relates to the field of computer programming; more particularly, the present invention relates to controlling (e.g., constraining) the behavior of embedded script in documents (e.g., HTML documents). BACKGROUND OF THE INVENTION [0003] JavaScript has become a popular tool in building web pages. JavaScript programs are essentially a form of mobile code embedded in HTML documents and executed on client machines. With help of the Document Object Model (DOM) and other browser features, JavaScript programs can obtain restricted access to the client system and improve the functionality and appearance of web pages. [0004] As is the...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F17/30G06F9/44
CPCG06F21/50G06F21/51H04L63/1483H04L63/1441G06F21/56G06F21/00G06F9/00
Inventor YU, DACHUANCHANDER, AJAYISLAM, NAYEEM
Owner NTT DOCOMO INC
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap